When installing AuthLite on the first domain controller in your organization you receive a pop-up "General access denied error"

The documentation specifies that you must be a member of "Domain Admins" but you also need to be a member of "Schema Admins".

The first installation on a DC must add elements and attributes to the schema so that the AuthLite Partition can be set up. If your account is not a member of Schema Admins (by default a domain admin is not a schema admin!) then you need to have it added, or use another appropriate account.

Remember if you add your account to this group you must log out and log back in to get an updated token, or else you will not see any difference.

If your account is a member of domain and schema admins and you receive this error, it is usually caused by a disagreement between DC's about which system has the FSMO Schema Master role. We have seen it occur in cases where the old role holder has gone offline, and one or more new DC's were later added. Seizing the schema role to an active DC may resolve the issue.

Note: AuthLite schema additions only affect our own Application Partition, and do not make any changes to built-in AD objects. The additions will have no adverse or performance effect on your directory.